Merge pull request #617 from CrossRealms/do-not-use-macros-of-other-apps

removed macro dependency from other apps
CrossRealms · Aug 27, 2024 · 46ac470 · 46ac470
2 parents 208c7a3 + 00dcf68
commit 46ac470
Show file tree

Hide file tree

Showing 7 changed files with 99 additions and 91 deletions.
diff --git a/cyences_app_for_splunk/default/data/models/Cyences_Authentication.json b/cyences_app_for_splunk/default/data/models/Cyences_Authentication.json
@@ -742,7 +742,7 @@
             ],
             "constraints": [
                 {
-                    "search": "(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)",
+                    "search": "(`cs_cim_authentication_indexes`) tag=authentication NOT (action=success user=*$)",
                     "owner": "Authentication"
                 }
             ],

diff --git a/cyences_app_for_splunk/default/data/ui/views/cs_asset_intelligence.xml b/cyences_app_for_splunk/default/data/ui/views/cs_asset_intelligence.xml
@@ -288,8 +288,8 @@
       </input>
       <map>
         <search>
-          <query>| tstats `cs_summariesonly_network_traffic` count as inbound from datamodel=Network_Traffic where All_Traffic.dest_ip IN $tkn_filter_ip_only$ by All_Traffic.src_ip | `drop_dm_object_name(All_Traffic)` | iplocation src_ip
-| append [| tstats `cs_summariesonly_network_traffic` count as outbound from datamodel=Network_Traffic where All_Traffic.src_ip IN $tkn_filter_ip_only$ by All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` | iplocation dest_ip]
+          <query>| tstats `cs_summariesonly_network_traffic` count as inbound from datamodel=Network_Traffic where All_Traffic.dest_ip IN $tkn_filter_ip_only$ by All_Traffic.src_ip | `cs_drop_dm_object_name(All_Traffic)` | iplocation src_ip
+| append [| tstats `cs_summariesonly_network_traffic` count as outbound from datamodel=Network_Traffic where All_Traffic.src_ip IN $tkn_filter_ip_only$ by All_Traffic.dest_ip | `cs_drop_dm_object_name(All_Traffic)` | iplocation dest_ip]
 | eval ip=coalesce(src_ip, dest_ip)
 | `cs_network_generate_location_for_internal_network(ip)`
 | lookup `cs_palo_search_blocked_ip_lookup_name` ip as src_ip OUTPUT blocked 
@@ -347,7 +347,7 @@
       </input>
       <table>
         <search>
-          <query>| tstats `cs_summariesonly_authentication` count from datamodel=Cyences_Authentication where `cs_radius_authentication_indexes` $tkn_filter_authentication$ Authentication.action IN ("success","failure") Authentication.app="*" by Authentication.app Authentication.action Authentication.user, Authentication.src | `drop_dm_object_name(Authentication)`  | iplocation src | fields - lat lon</query>
+          <query>| tstats `cs_summariesonly_authentication` count from datamodel=Cyences_Authentication where `cs_radius_authentication_indexes` $tkn_filter_authentication$ Authentication.action IN ("success","failure") Authentication.app="*" by Authentication.app Authentication.action Authentication.user, Authentication.src | `cs_drop_dm_object_name(Authentication)`  | iplocation src | fields - lat lon</query>
           <earliest>$tkn_timeRange_radius_authentication.earliest$</earliest>
           <latest>$tkn_timeRange_radius_authentication.latest$</latest>
         </search>
@@ -371,7 +371,7 @@
       <table>
         <search>
           <query>| tstats `cs_summariesonly_authentication` count from datamodel=Cyences_Authentication where `cs_o365_login_filter_source` `cs_authentication_indexes` $tkn_filter_authentication$ Authentication.app!=OktaIM2:log Authentication.action IN ("success","failure") Authentication.app="*" `cs_authentication_app_filter` by Authentication.app Authentication.action Authentication.user, Authentication.src
-          | `drop_dm_object_name(Authentication)`  | iplocation src | fields - lat lon</query>
+          | `cs_drop_dm_object_name(Authentication)`  | iplocation src | fields - lat lon</query>
           <earliest>$tkn_timeRange_authentication.earliest$</earliest>
           <latest>$tkn_timeRange_authentication.latest$</latest>
         </search>

diff --git a/cyences_app_for_splunk/default/data/ui/views/cs_authentication_reports.xml b/cyences_app_for_splunk/default/data/ui/views/cs_authentication_reports.xml
@@ -96,7 +96,7 @@
       <title>Application Authentication Success Rate</title>
       <table>
         <search>
-          <query>| tstats `cs_summariesonly_authentication` prestats=t count from datamodel=Cyences_Authentication where `cs_o365_login_filter_source` `cs_authentication_indexes` Authentication.app!=OktaIM2:log Authentication.action IN ("success","failure") Authentication.app=$tkn_app|s$ `cs_authentication_app_filter` by Authentication.app Authentication.action | `drop_dm_object_name(Authentication)`
+          <query>| tstats `cs_summariesonly_authentication` prestats=t count from datamodel=Cyences_Authentication where `cs_o365_login_filter_source` `cs_authentication_indexes` Authentication.app!=OktaIM2:log Authentication.action IN ("success","failure") Authentication.app=$tkn_app|s$ `cs_authentication_app_filter` by Authentication.app Authentication.action | `cs_drop_dm_object_name(Authentication)`
 | chart count by app action
 | addtotals
 | eval "Success%" = round(success / Total * 100,2)
@@ -122,7 +122,7 @@
             <link target="_blank">/app/cyences_app_for_splunk/cs_o365_reports</link>
           </condition>
           <condition>
-            <link target="_blank">search?q=%7C%20datamodel%20Authentication%20search%20strict_fields%3Dfalse%20%7C%20search%20Authentication.action%20IN%20(%22success%22%2C%20%22failure%22)%20Authentication.app%3D$click.value|s$%20%7C%20%60drop_dm_object_name(Authentication)%60&amp;earliest=$timeRange.earliest$&amp;latest=$timeRange.latest$</link>
+            <link target="_blank">search?q=%7C%20datamodel%20Authentication%20search%20strict_fields%3Dfalse%20%7C%20search%20Authentication.action%20IN%20(%22success%22%2C%20%22failure%22)%20Authentication.app%3D$click.value|s$%20%7C%20%60cs_drop_dm_object_name(Authentication)%60&amp;earliest=$timeRange.earliest$&amp;latest=$timeRange.latest$</link>
           </condition>
         </drilldown>
       </table>
@@ -144,7 +144,7 @@
       <table>
         <search>
           <query>| tstats `cs_summariesonly_authentication` count as count, latest(_time) as last_login from datamodel=Cyences_Authentication where `cs_o365_login_filter_source` `cs_authentication_indexes` Authentication.action IN ("success","failure") Authentication.app=$tkn_app|s$ Authentication.user=$tkn_user|s$ `cs_authentication_app_filter` by Authentication.user, Authentication.app, Authentication.action
-| `drop_dm_object_name(Authentication)`
+| `cs_drop_dm_object_name(Authentication)`
 | eval over_field=user."|".app
 | chart sum(count) as count, max(last_login) as last_login over over_field by action
 | rex field=over_field "(?&lt;user&gt;[^\|]*)\|(?&lt;app&gt;.*)" | fields - over_field
@@ -163,7 +163,7 @@
             <link target="_blank">/app/cyences_app_for_splunk/cs_o365_reports?form.tkn_user=$row.user$&amp;form.tkn__user=$row.user$</link>
           </condition>
           <condition>
-            <link target="_blank">search?q=%7C%20datamodel%20Authentication%20search%20strict_fields%3Dfalse%20%7C%20search%20Authentication.action%20IN%20(%22success%22%2C%20%22failure%22)%20Authentication.app%3D$row.app|s$%20Authentication.user%3D$row.user|s$%20%7C%20%60drop_dm_object_name(Authentication)%60&amp;earliest=$timeRange.earliest$&amp;latest=$timeRange.latest$</link>
+            <link target="_blank">search?q=%7C%20datamodel%20Authentication%20search%20strict_fields%3Dfalse%20%7C%20search%20Authentication.action%20IN%20(%22success%22%2C%20%22failure%22)%20Authentication.app%3D$row.app|s$%20Authentication.user%3D$row.user|s$%20%7C%20%60cs_drop_dm_object_name(Authentication)%60&amp;earliest=$timeRange.earliest$&amp;latest=$timeRange.latest$</link>
           </condition>
         </drilldown>
       </table>